diff --git a/nodejs/src/controller/web/brainController.js b/nodejs/src/controller/web/brainController.js index 1547865d..ae3b7cd5 100644 --- a/nodejs/src/controller/web/brainController.js +++ b/nodejs/src/controller/web/brainController.js @@ -38,7 +38,15 @@ const deleteBrain = catchAsync(async (req, res) => { return util.failureResponse(_localize('module.deleteError', req, BRAIN), res); }) +const { ROLE_TYPE } = require('../../config/constants/common'); + const deleteAllBrain = catchAsync(async (req, res) => { + // Controller-level defense: allow only COMPANY or MANAGER roles + if (!(req.roleCode === ROLE_TYPE.COMPANY || req.roleCode === ROLE_TYPE.COMPANY_MANAGER)) { + res.message = _localize('auth.permission', req); + return util.unAuthorizedRequest(res); + } + const result = await brainService.deleteAllBrain(req); if (result) { res.message = _localize('module.delete', req, BRAIN); @@ -135,5 +143,5 @@ module.exports = { restoreBrain, deleteAllBrain, workspaceWiseList -} +} diff --git a/nodejs/src/routes/web/brains.js b/nodejs/src/routes/web/brains.js index 0ec1f09b..fcb04c95 100644 --- a/nodejs/src/routes/web/brains.js +++ b/nodejs/src/routes/web/brains.js @@ -3,14 +3,14 @@ const router = express.Router(); const brainController = require('../../controller/web/brainController'); const { createBrainKeys, updateBrainKeys, shareBrainKeys, unshareBrainKeys, shareDocKeys } = require('../../utils/validations/brain'); const { partialUpdateKeys } = require('../../utils/validations/common'); -const { authentication } = require('../../middleware/authentication'); +const { authentication, checkPermission } = require('../../middleware/authentication'); const { checkPromptLimit } = require('../../middleware/promptlimit'); router.post('/create', validate(createBrainKeys), authentication,checkPromptLimit, brainController.createBrain); router.put('/update/:id', validate(updateBrainKeys), authentication,checkPromptLimit, brainController.updateBrain); router.get('/:slug', authentication, brainController.getBrain); router.delete('/delete/:id', authentication, brainController.deleteBrain); -router.delete('/deleteall', authentication, brainController.deleteAllBrain); +router.delete('/deleteall', authentication, checkPermission, brainController.deleteAllBrain).descriptor('brain.delete_all'); router.post('/list', authentication, checkPromptLimit, brainController.getAll); router.patch('/partial/:slug', validate(partialUpdateKeys), authentication, brainController.partialUpdate); router.post('/unshare', validate(unshareBrainKeys), authentication, brainController.unShareBrain);